Blog

Sorry for taking over the main page with document updates. I've been updating the docs with the new logo, as well as cleaning up the formatting. I'm hoping this will make it easier to read the Best Practices.

I hope to have most updated by the end of the year, I'll also be updating some of the videos included in the Best Practices.

McAfee ENS Analyzer content creation date for both of the DAC Rules were created on Aug 2016, whereas the ransomware was made known to public on 23 Nov . Taking those two dates, McAfee endpoint solution provided pre-emptive protection of more than 12 months before this ransomware was publicly known

A new variant of the CryptoMix Ransomware being distributed that is appending the .XZZX extension to encrypted file names. While the encryption methods stay the same in this variant, there have been some slight differences. The ransom note is still named _HELP_INSTRUCTION.TXT, but now uses the xzzx@tuta.io, xzzx1@protonmail.com, xzzx10@yandex.com, and xzzx101@yandex.com emails for a victim to contact for payment information.

McAfee ENS Analyzer content creation date for both of the DAC Rules were created on Aug 2016, whereas the ransomware was made known to public on 13 Nov . Taking those two dates, McAfee endpoint solution provided pre-emptive protection of more than 12 months before this ransomware was publicly known

A new ransomware strain named Bad Rabbit is wreaking havoc in many Eastern European countries, affecting both government agencies and private businesses alike.

At the time of writing, the ransomware has hit countries such as Russia, Ukraine, Bulgaria, and Turkey.

Confirmed victims include the Odessa airport in Ukraine, the Kiev subway system in Ukraine, the Ukrainian Ministry of Infrastructure, and three Russian news agencies, including Interfax and Fontanka. Ukraine's CERT team has posted an alert and is warning Ukrainian businesses about this new outbreak.

McAfee ENS Analyzer content creation date for both of the DAC Rules were created on Aug 2016, whereas the ransomware was made known to public on 25 Oct 2017 . Taking those two dates, McAfee endpoint solution provided pre-emptive protection of more than 12 months before this ransomware was publicly known

Excerpt: By opening DXL to the industry through an open software development kit (SDK), more enterprises, developers, and organizations can participate to expand the value and impact of a DXL deployment: we are activating the Network Effect. The SDK enables a unified model for integrating software vendors’ best ideas with in-house developed and legacy systems to turn an unwieldy, unsustainable set of tools and data sets into a system that functions in real time and is easier to build, test, and maintain consistently. It reduces the error, disruption, and change that create vulnerability up front and over the business’ life. Together—through better sharing of intelligence and tighter integration of the systems that use it—we as an industry create a security operations platform that connects the good guys in a collaborative team. Join the revolution at mcafee.com/opendxl.

This is Kelly Housman with the Microsoft Patch Tuesday newsletter for September 13, 2016.

Welcome to the September Patch Tuesday update. This month was busy month where Microsoft released a total of Fourteen(14) new security bulletins, including one for Adobe Flash . For this month, Seven(7) of these are rated Critical. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The remaining Seven (7) are rated Important.

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

This is Kelly Housman with the Microsoft Patch Tuesday newsletter for August 8, 2016.

Welcome to the August Patch Tuesday update. This month was a lighter than average month where Microsoft released a total of Nine (9) new security bulletins. For this month, Five(5) of these are rated Critical. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The remaining Four (4) are rated Important.

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

This security update is rated Critical for Microsoft Edge on Windows 10.

MS16-097 (CVE-2016-3301, 3303, and 3304)This security update resolves vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, and Microsoft Lync. The vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The security update addresses the vulnerabilities by correcting how the Windows font library handles embedded fonts.

MS16-098 (CVE-2016-3308, 3309, 3310, and 3311)

The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.

The security update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory.

MS16-099 (CVE-2016-3313, 3315, 3316, 3317, and 3318)

The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. Office handles objects in memory

The security update addresses the vulnerabilities by correcting how affected versions of Office and Office components handle objects in memory.

MS16-100 (CVE-2016-3320)

The vulnerability could allow security feature bypass if an attacker installs an affected boot manager and bypasses Windows security features.

The vulnerabilities could allow elevation of privilege if an attacker runs a specially crafted application on a domain-joined system.

This security update is rated Important for all supported releases of Microsoft Windows.

The update addresses the vulnerabilities by modifying how Windows authentication methods handle the establishment of secure channels.

MS16-102 (CVE-2016-3319)

The vulnerability could allow remote code execution if a user views specially crafted PDF content online or opens a specially crafted PDF document. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The update addresses the vulnerability by correcting how affected systems handle objects in memory.

MS16-103 (CVE-2016-3312)

The vulnerability could allow information disclosure when Universal Outlook fails to establish a secure connection.

This security update is rated Important for all supported editions of Windows 10.

The update addresses the vulnerability by preventing Universal Outlook from disclosing usernames and passwords.

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

Hi Gurus!

The Olympics are just around the corner (August 5th - August 21st) and with that comes extra streaming! The Content and Categorization Team has been working on coverage for the past couple weeks to prepare for the event. I'll highlight some of the categories being used for Olympic related sites as well as some ideas you can use in your MWG to handle the traffic.

Related Categories

There are a number of categories that the team has been using to categorize the streaming sites related to the Olympics:

Streaming Media - Web pages that provide streaming media, or contain software plug-ins for displaying audio and visual data before the entire file has been transmitted.

Internet/Radio/TV - Web pages that provide software or access to continuous audio or video broadcasting, such as Internet radio, TV programming, or podcasting.

Throughout the Olympics coverage will be added as sites pop up close to or during the event. Streaming Media and Internet/Radio/TV will be used to categorize sites that properly licence the content. Potential Illegal Software will be used to categorize sites which could potentially be hosting the streams illegally (i.e. "Watch for FREE" sites).

Rule Examples

Depending on your organization's policies, you may want to be really restrictive, permissive, or want to play it safe. I'll detail some example rules that you can run with depending on your internal policies. I'm not going to cover the blocking the categories because that's something built into the policy already and can be done by checking some boxes.

Auto-Expire Coaching (on Aug 21)

Let's say you want to Coach or Quota users when they visit Streaming Media or Internet/Radio/TV, and you want that to expire on August 21st (when the Olympics end. This assumes Streaming Media is not blocked in your current policy. First, import the Coaching ruleset from the Ruleset Library, then we'll unlock and add a rule inside the top-level Coaching ruleset. The rule will be setup as follows:

Name: Apply ruleset from Aug 5th to Aug 21st 2016

Criteria: DateTime.ToNumber less than 1470355200 OR DateTime.ToNumber greater than 1471823999

Action: Stop Rule Set

Bandwidth Control for Categories (7.6.2+ -- Direct Proxy)

In 7.6.2, classful bandwidth control was added which allows MWG to prioritize traffic. This allow you to define a maximum bandwidth that certain types of traffic can consume (let's say... URL.Categories equals Streaming Media or Internet/Radio/TV). For more information on implementing Bandwidth Control check out the recently published guide:

Discussion Thread

If you have any thoughts, alternate ideas, cool rulesets, I've started a discussion thread in the MWG Community:

Content and Categorization Team Projects

Throughout the year the Content and Categorization team is working on proactive projects that are important to customers. They are working on providing accurate coverage for major events that matter to you.

Again, apologies for the delay on this. Here is the completed Patch Tuesday newsletter for July.

Welcome to the July Patch Tuesday update. This month was an average month where Microsoft released a total of Eleven (11) new security bulletins including one for Adobe FLASH. For this month, Five(5) of these are rated Critical. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The remaining Six (6) are rated Important.

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The update addresses the vulnerabilities by:

Modifying how Internet Explorer handles objects in memory

Modifying how the JScript and VBScript scripting engines handle objects in memory

The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

MS16-086 (CVE-2016-3204)The vulnerability could allow remote code execution if a user visits a specially crafted website. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerabilities could take control of an affected system.

The update addresses the vulnerability by modifying how the JScript and VBScript scripting engines handle objects in memory.

MS16-087 (CVE-2016-3238 and 3239)

The more severe of the vulnerabilities could allow remote code execution if an attacker is able to execute a man-in-the-middle (MiTM) attack on a workstation or print server, or set up a rogue print server on a target network.

The update addresses the vulnerabilities by:

Correcting how the Windows Print Spooler service writes to the file system

Issuing a warning to users who attempt to install untrusted printer drivers

MS16-088 (CVE-2016-3278 thru 3284)

The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

The security update addresses the vulnerabilities by correcting how:

Office handles objects in memory

Certain functions handle objects in memory

Windows validates input before loading libraries

MS16-089 (CVE-2016-3256)

The vulnerability could allow information disclosure when Windows Secure Kernel Mode improperly handles objects in memory. This security update is rated Important for all supported releases of Windows 10.

The security update addresses the vulnerabilities by correcting how:

The Windows kernel-mode driver handles objects in memory.

The Windows GDI component handles objects in memory.

MS16-090 (CVE-2016-3249, 3250, 3251, 3252, 3254, and 3286)

The more severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.

The security update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory, and by ccorrecting VPCI memory handling.

MS16-091 (CVE-2016-3255)

The vulnerability could cause information disclosure if an attacker uploads a specially crafted XML file to a web-based application.The security update addresses the vulnerabilities by correcting how:

The update addresses the vulnerability by modifying the way that the XML External Entity (XXE) parser parses XML input.

MS16-092 (CVE-2016-3258 and 3272)

The most severe of the vulnerabilities could allow security feature bypass if the Windows kernel fails to determine how a low integrity application can use certain object manager features.

The security update addresses the vulnerabilities by adding a validation check to the Windows kernel that determines how a low integrity application can use certain object manager features, and by correcting how the Windows kernel handles certain page fault system calls.

MS16-094 (CVE-2016-3287)

The vulnerability could allow Secure Boot security features to be bypassed if an attacker installs an affected policy on a target device. An attacker must have either administrative privileges or physical access to install a policy and bypass Secure Boot.

The security update addresses the vulnerability by blacklisting affected policies.

This security update is rated Critical. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

This is Kelly Housman with the Microsoft Patch Tuesday newsletter for June 2016.

Welcome to the June Patch Tuesday update. This is another busy month, Microsoft released a total of Sixteen (16)! new security bulletins. For this month, Five(5) of these are rated Critical. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The remaining Eleven (11) are rated Important.

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system.

The update addresses the vulnerabilities by:

Modifying how Internet Explorer handles objects in memory

Modifying how the JScript and VBScript scripting engines handle objects in memory

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

MS16-069 (CVE-2016-3205, 3206, and 3207)This security update resolves vulnerabilities in the JScript and VBScript scripting engines in Microsoft Windows. The vulnerabilities could allow remote code execution if a user visits a specially crafted website. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user.

The update addresses the vulnerabilities by modifying how the JScript and VBScript scripting engines handle objects in memory.

MS16-070 (CVE-2016-0025, 3233, 3234, and 3235)

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file.

The security update addresses the vulnerabilities by correcting how:

Office handles objects in memory

Certain functions handle objects in memory

Windows validates input before loading libraries

MS16-071(CVE-2016-3227)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted requests to a DNS server.

The security update addresses the vulnerability by modifying how DNS servers handle requests.

MS16-072 (CVE-2016-3223)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine.

The security update addresses the vulnerability by enforcing Kerberos authentication for certain calls over LDAP.

MS16-073 (CVE-2016-3218, 3221, and 3232)

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

The security update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory, and by ccorrecting VPCI memory handling.

MS16-074 (CVE-2016-3216, 3219, and 3220)

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow elevation of privilege if a user opens a specially crafted document or visits a specially crafted website.

The security update addresses the vulnerabilities by correcting how:

The Windows Graphics Component (GDI32.dll) handles objects in memory

The Windows kernel-mode driver (Win32k.sys) handles objects in memory and helps to prevent unintended elevation of privilege from user-mode

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker with access to a domain controller (DC) on a target network runs a specially crafted application to establish a secure channel to the DC as a replica domain controller.

The update addresses the vulnerability by modifying how Netlogon handles the establishment of secure channels.

MS16-077 (CVE-2016-3213 and 3236)

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if the Web Proxy Auto Discovery (WPAD) protocol falls back to a vulnerable proxy discovery process on a target system.

The update addresses the vulnerabilities by correcting how Windows handles proxy discovery, and WPAD automatic proxy detection in Windows.

MS16-078 (CVE-2016-3231)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. This security update is rated Important for all supported editions of Microsoft Windows 10.

The security update addresses the vulnerability by correcting how the Windows Diagnostics Hub Standard Collector Service sanitizes input, to help preclude unintended elevated system privileges.

MS16-079 (CVE-2016-0028)

This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow information disclosure if an attacker sends a specially crafted image URL in an Outlook Web Access (OWA) message that is loaded, without warning or filtering, from the attacker-controlled URL.

The security update addresses the vulnerabilities by correcting the way that Microsoft Exchange parses HTML messages.

MS16-080 (CVE-2016-3201, 3203, and 3215)

This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted .pdf file.

The update addresses the vulnerabilities by modifying how Windows parses .pdf files.

MS16-081 (CVE-2016-3226)

This security update resolves a vulnerability in Active Directory. The vulnerability could allow denial of service if an authenticated attacker creates multiple machine accounts. To exploit the vulnerability an attacker must have an account that has privileges to join machines to the domain.

The security update addresses the vulnerability by correcting by correcting how machine accounts are created.

MS16-082 (CVE-2016-3230)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker logs on to a target system and runs a specially crafted application.

The update addresses the vulnerability by correcting how the Windows Search component handles objects in memory.

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

This is Kelly Housman with the Microsoft Patch Tuesday newsletter for May 2016.

Welcome to the May Patch Tuesday update. This is a busy month, Microsoft released a total of Sixteen (16)! new security bulletins. Including one for systems with Adobe Flash player installed. For this month, Eight(8) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow remote code execution. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The remaining Eight (8) are rated Important.

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights. This security update is rated Critical for Microsoft Edge on Windows 10.

The update addresses the vulnerability by:

Modifying how Microsoft Edge handles objects in memory.

Ensuring that cross-domain policies are properly enforced in Microsoft Edge.

MS16-053 (CVE-2016-0187 and 0189)The vulnerabilities could allow remote code execution if a user visits a specially crafted website. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited these vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The update addresses the vulnerabilities by modifying how the JScript and VBScript scripting engines handle objects in memory.

MS16-054 (CVE-2016-0126, 0140, 0183, and 0198)

The vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

The security update addresses the vulnerabilities by correcting how Office handles objects in memory, and by correcting how the Windows font library handles embedded fonts.

MS16-055(CVE-2016-0168, 0169, 0170, 0184, and 0195)

The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a specially crafted website. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The security update addresses the vulnerabilities by correcting how the Windows GDI component and the Windows Imaging Component handle objects in memory.

MS16-056 (CVE-2016-0182)

The vulnerability could allow remote code execution if a user opens a specially crafted Journal file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The update addresses the vulnerability by modifying how Windows Journal parses Journal files.

MS16-057 (CVE-2016-0179)

The vulnerability could allow remote code execution if an attacker successfully convinces a user to browse to a specially crafted website that accepts user-provided online content, or convinces a user to open specially crafted content. The security update addresses the vulnerability by modifying how Windows Shell handles objects in memory.

MS16-058 (CVE-2016-0152)

To exploit the vulnerability, an attacker must first gain access to the local system and have the ability to execute a malicious application.The security update addresses the vulnerability by correcting how Windows validates input when loading certain libraries.

MS16-059 (CVE-2016-0185)

The vulnerability could allow remote code execution if Windows Media Center opens a specially crafted Media Center link (.mcl) file that references malicious code. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

The security update addresses the vulnerability by correcting how Windows Media Center handles certain resources in the .mcl file.

MS16-060 (CVE-2016-0180)

The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

The security update addresses the vulnerability by correcting how the Windows kernel parses symbolic links.

MS16-061 (CVE-2016-0178)

The vulnerability could allow elevation of privilege if an unauthenticated attacker makes malformed Remote Procedure Call (RPC) requests to an affected host.

The security update addresses the vulnerability by modifying the way that Microsoft Windows handles RPC messages.

MS16-062 (CVE-2016-0171 thru 0176, 0196, and 0197)

The more severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

The security update addresses the vulnerabilities by correcting:

How the Windows kernel-mode driver handles objects in memory.

How the Windows kernel handles memory addresses.

The way in which the Microsoft DirectX graphics kernel subsystem (dxgkrnl.sys) handles certain calls and escapes to preclude improper memory mapping and prevent unintended elevation from user-mode.

The vulnerability could cause information disclosure if an attacker injects unencrypted data in the target secure channel and then performs a man-in-the-middle (MiTM) attack between the targeted client and a legitimate server.

The security update addresses the vulnerability by modifying the way that the .NET encryption component sends and receives encrypted network packets.

MS16-066 (CVE-2016-0181)

The vulnerability could allow a security feature bypass if an attacker runs a specially crafted application to bypass code integrity protections in Windows.

The update addresses the vulnerability by correcting the security feature’s behavior to preclude incorrect marking of RWX pages under HVCI.

MS16-067 (CVE-2016-0190)

The vulnerability could allow information disclosure if a USB disk mounted over Remote Desktop Protocol (RDP) via Microsoft RemoteFX is not correctly tied to the session of the mounting user.

The security update addresses the vulnerability by ensuring that access to USB disks over RDP is correctly enforced to prevent non-mounting session access.

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

This is Kelly Housman with the Microsoft Patch Tuesday newsletter for March 2016.

Welcome to the March Patch Tuesday update. This month Microsoft released a total of Thirteen (13) new security bulletins. For this month, Five(5) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow remote code execution. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other Eight (8) are rated Important.

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

This month’s patches include the following:

NOTE: As of this posting McAfee Labs Advisory documents were not posted on the community site. Once they are posted you’ll find them here.

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

This security update is rated Critical for Microsoft Edge on Windows 10.

The update addresses the vulnerability by:

Modifying how Microsoft Edge handles objects in memory

Changing how Microsoft Edge handles the referrer policy

MS16-025 (CVE-2016-0100)This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if Microsoft Windows fails to properly validate input before loading certain libraries. However, an attacker must first gain access to the local system with the ability to execute a malicious application.

The security update addresses the vulnerability by correcting how Windows OLE validates input on library load.

MS16-026 (CVE-2016-0120 and 0121)

This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if an attacker either convinces a user to open a specially crafted document, or to visit a webpage that contains specially crafted embedded OpenType fonts. This security update is rated Critical for all supported editions of Windows.

An attacker who successfully exploited these vulnerabilities could cause arbitrary code to execute in the context of the current user. If a user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This security update is rated Critical for all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, and Windows 10.

The update addresses the vulnerabilities by modifying how Windows parses .PDF files.

MS16-029 (CVE-2016-0021, 0057, and 0134)

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

The security update addresses the vulnerabilities by:

Correcting how Office handles objects in memory

Providing a validly signed binary

MS16-030 (CVE-2016-0091 and 0092)

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if Windows OLE fails to properly validate user input. An attacker could exploit the vulnerabilities to execute malicious code. However, an attacker must first convince a user to open either a specially crafted file or a program from either a webpage or an email message. This security update is rated Important for all supported editions of Windows.

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker is able to log on to a target system and run a specially crafted application. This security update is rated Important for all supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

The security update addresses the vulnerability by correcting how Windows validates impersonation events.

MS16-032 (CVE-2016-0099)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege when the Windows Secondary Logon Service fails to properly manage request handles in memory. This security update is rated Important for all supported editions of Windows.

The security update addresses the vulnerability by correcting how Windows manages request handles in memory.

The security update addresses the vulnerability by correcting how Windows handles objects in memory.

MS16-034 (CVE-2016-0093 thru 0096)

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. This security update is rated Important for all supported editions of Microsoft Windows.

The security update addresses the vulnerabilities by correcting how Windows handles objects in memory.

The update addresses the vulnerability by correcting how the .NET Framework validates XML documents.

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

This is Kelly Housman with the Microsoft Patch Tuesday newsletter for February2016.

Welcome to the February Patch Tuesday update. This month Microsoft released a total of Thirteen (13) new security bulletins including one from Adobe for flash. For this month, Five (5) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow remote code execution. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other Eight (8) are rated Important.

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Twenty-three (23) of these vulnerabilities are Remote Code Execution vulnerabilities. An attacker could leverage any of these vulnerabilities to corrupt memory, gain the same rights as the currently logged in user, and then execute arbitrary code.

Three (3) of these vulnerabilities is an XSS Security Bypass. This may allow the attacker to steal cookie-based authentication credentials and other sensitive data that may aid in further attacks.

One (1) of these vulnerabilities is a Security Feature Bypass vulnerability. It bypasses the Address Space Layout Randomization (ASLR) feature in the Microsoft Browser.

As in the past with the Internet Explorer vulnerabilities, attackers have to convince users with affected versions of Internet Explorer to view specially crafted content that exploits these vulnerabilities. The content could be on a compromised website or a forum/blog site that allows users to post their own content. Users could be convinced to visit one of these sites by clicking on a link in an Internet search results screen, an email message, or opening an infected attachment. Having good email hygiene with anti-spam and anti-phishing techniques (such as McAfee Email Protection) inplace will help mitigate the potential for users to stray to an affected website. Since we expect some of the known-bad sites on the Internet to be harbors for this type of attack, having good web browsing habits and using tools such as McAfee SiteAdvisor, McAfee SiteAdvisor EnterpriseandMcAfee Web Protectioncan also help.

MS16-011 (CVE-2016-0061, 0062, 0077, 0080, 0082, 0083, and 0084)

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

MS16-012 (CVE-2016-0046 and 0058)This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if Microsoft Windows PDF Library improperly handles application programming interface (API) calls, which could allow an attacker to run arbitrary code on the user’s system. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. However, an attacker would have no way to force users to download or open a malicious PDF document.

MS16-013 (CVE-2016-0038)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted Journal file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS16-014(CVE-2016-0040, 0041, 0042, 0044, and 0049)

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker is able to log on to a target system and run a specially crafted application.

The security update addresses the vulnerabilities by:

Correcting how the Windows kernel handles objects in memory

Correcting how Windows validates input before loading DLL files

Correcting how Microsoft Sync Framework validates input

Adding an additional authentication check

MS16-015 (CVE-2016-0022, 0039, 0052, and 0053 thru 0057)

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker uses the Microsoft Web Distributed Authoring and Versioning (WebDAV) client to send specifically crafted input to a server.

MS16-017 (CVE-2016-0036)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an authenticated attacker logs on to the target system using RDP and sends specially crafted data over the connection. By default, RDP is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.

MS16-018 (CVE-2016-0048)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

MS16-019 (CVE-2016-0033 and 0047)

This security update resolves vulnerabilities in Microsoft .NET Framework. The more severe of the vulnerabilities could cause denial of service if an attacker inserts specially crafted XSLT into a client-side XML web part, causing the server to recursively compile XSLT transforms.

This security update resolves a vulnerability in Active Directory Federation Services (ADFS). The vulnerability could allow denial of service if an attacker sends certain input data during forms-based authentication to an ADFS server, causing the server to become nonresponsive.

This security update is rated Important for ADFS 3.0 when installed on x64-based editions of Windows Server 2012 R2.

MS16-021 (CVE-2016-0050)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could cause denial of service on a Network Policy Server (NPS) if an attacker sends specially crafted username strings to the NPS, which could prevent RADIUS authentication on the NPS. This security update is rated Important for all supported editions of Windows Server 2008 (excluding Itanium), and Windows Server 2008 R2 (excluding Itanium), and all supported editions of Windows Server 2012 and Windows Server 2012 R2.

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

This is Kelly Housman with the Microsoft Patch Tuesday newsletter for January 2016.

Welcome to the January Patch Tuesday update. This month Microsoft released a total of Nine (9) new security bulletins. For this month, Six (6) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow remote code execution. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other Three (3) are rated Important.

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Helping to ensure that cross-domain policies are properly enforced in Internet Explorer

MS16-002 (CVE-2016-0003 and 00024)

This security update resolves vulnerabilities in Microsoft Edge. The vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. This security update is rated Critical for Microsoft Edge on Windows 10. The update addresses the vulnerability by modifying how Microsoft Edge handles objects in memory.

MS16-003 (CVE-2016-0002)This security update resolves a vulnerability in the VBScript scripting engine in Microsoft Windows. The vulnerability could allow remote code execution if a user visits a specially crafted website. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system.

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user.

This security update resolves a vulnerability in Microsoft Silverlight. The vulnerability could allow remote code execution if a user visits a compromised website that contains a specially crafted Silverlight application. An attacker would have no way to force users to visit a compromised website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email or instant message that takes users to the attacker's website.

This security update is rated Critical for Microsoft Silverlight 5 and Microsoft Silverlight 5 Developer Runtime when installed on Mac or all supported releases of Microsoft Windows.

MS16-007 (CVE-2016-0014 0015, 0016, 0018, 0019, and 0020)

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker is able to log on to a target system and run a specially crafted application.

MS16-008 (CVE-2016-0006 and 0007)

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. This security update is rated Important for all supported releases of Microsoft Windows.

MS16-010 (CVE-2016-0029 thru 0032)

This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow spoofing if Outlook Web Access (OWA) fails to properly handle web requests, and sanitize user input and email content. This security update is rated Important for all supported editions of Microsoft Exchange Server 2013 and Microsoft Exchange Server 2016.

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

Starting January 1, 2016 most browsers are phasing out trust of certificates signed using SHA1. Any certificates signed after January 1 will be untrusted in some way (it varies based on the browser), certificates signed before are still accepted.

With McAfee Web Gateway, it will issue certificates for the sites which are SSL scanned, so the signing date will be after January 1, 2016. To avoid any issues, please ensure that you are not using SHA1 in your SSL scanning settings (use SHA256 instead). If you migrated from older versions to newer versions, this setting will not be updated automatically.

This is configured under Policy > Settings > Engines > SSL Client Context with CA in the digest dropdown. Be sure to configure the digest in all settings containers for "SSL Client Context with CA".

Firefox actively blocks you from the site, Chrome will display a passive warning in the address bar. Below is a screenshot of the warnings.

If the Certificate Authority used in the McAfee Web Gateway was signed using SHA1, you should consider replacing it soon. At the moment the browsers will only complain if the web server certificate is signed using SHA1. However, the same may happen eventually for CA certs signed using SHA1.

For the time being, adjusting the settings above should suffice in avoiding browser errors.

This is Kelly Housman with the Microsoft Patch Tuesday newsletter for December 2015.

Welcome to the December Patch Tuesday update. This month Microsoft released a total of twelve (12) new security bulletins. For this month, four (8) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow code to execute without any user interaction. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other eight (4) are rated Important.

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Twenty-three (23) of these vulnerabilities are Remote Code Execution vulnerabilities. An attacker could leverage any of these vulnerabilities to corrupt memory, gain the same rights as the currently logged in user, and then execute arbitrary code.

Three (3) of these vulnerabilities is an XSS Security Bypass. This may allow the attacker to steal cookie-based authentication credentials and other sensitive data that may aid in further attacks.

One (1) of these vulnerabilities is a Security Feature Bypass vulnerability. It bypasses the Address Space Layout Randomization (ASLR) feature in the Microsoft Browser.

As in the past with the Internet Explorer vulnerabilities, attackers have to convince users with affected versions of Internet Explorer to view specially crafted content that exploits these vulnerabilities. The content could be on a compromised website or a forum/blog site that allows users to post their own content. Users could be convinced to visit one of these sites by clicking on a link in an Internet search results screen, an email message, or opening an infected attachment. Having good email hygiene with anti-spam and anti-phishing techniques (such as McAfee Email Protection) in place will help mitigate the potential for users to stray to an affected website. Since we expect some of the known-bad sites on the Internet to be harbors for this type of attack, having good web browsing habits and using tools such as McAfee SiteAdvisor, McAfee SiteAdvisor Enterprise and McAfee Web Protection can also help.

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted requests to a DNS server. The security update addresses the vulnerability by modifying how DNS servers parse requests.

These Three (3) updates resolves vulnerabilities in MS Silverlight. To exploit the vulnerability, an attacker could host a website that contains a specially crafted Silverlight application and then convince a user to visit a compromised website. The attacker could also take advantage of websites that contain specially crafted content that accept or host user-provided content or advertisements.

MS15-130 (CVE-2015-6130)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains specially crafted fonts.

MS15-131 (CVE-2015-6040, 6118, 6122, 6124(Exploited), 6172, 6177)

Multiple remote code execution vulnerabilities exist in Microsoft Office software when the Office software fails to properly handle objects in memory. An attacker who successfully exploited these vulnerabilities could run arbitrary code in the context of the current user. Exploitation could occur via an email attachment or malicious URL link and convincing the user to either open the attachment or clicking the link.

MS15-132 (CVE-2015-6128, 6129, 6132, 6133)

Multiple remote code execution vulnerabilities exist when Windows improperly validates input before loading libraries. An attacker who successfully exploited the vulnerabilities could take complete control of an affected system. To exploit the vulnerabilities, an attacker would need access to the local system and the ability to execute a specially crafted application on the system. The security update addresses the vulnerabilities by correcting how Windows validates input before loading libraries.

MS15-133 (CVE-2015-6126)

An elevation of privilege vulnerability exists in the Windows Pragmatic General Multicast (PGM) protocol that is caused when an attacker-induced race condition results in references to memory contents that have already been freed. Microsoft Message Queuing (MSMQ) must be installed and PGM specifically enabled for a system to be vulnerable. MSMQ is not present in default configurations and if it is installed the PGM protocol is available but disabled by default.

-An attack through Internet Explorer or Microsoft Edge requires the user to accept a security warning.

If the attacker's executable file is on the localhost or in the same LAN, it will open without a warning.

However, if the share is outside of the local network, a security warning dialog box will appear.

-For an attack to succeed, the user must first open Media Center and set it up.

MS15-135 (CVE-2015-6171, 6173, 6174, 6175(Exploited))

Finally, Multiple elevation of privilege vulnerabilities exist due to the way the Windows kernel handles objects in memory. An attacker who successfully exploited the vulnerabilities could run arbitrary code in kernel mode.

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

The issue has to do with Chrome receiving the HTTP response, and the HTTP response is too big for it's buffer. So if we reduce the size of the response, Chrome will behave in a better fashion.

To reduce the size of the response, we can change the MWG block page which is used for authentication. To do this, navigate to Policy > Settings, and click edit for any of the block templates. On the Template Editor screen, find the "Authentication Required" block page template and remove the contents of this blockpage (at least for now).

Update Dec 8th - Create an empty collection

Some customers reported that the above workaround did not help. If you are using your own custom template collection, we will need to create an empty template collection. This can be done in four steps:

1. Create an "empty" template collection by clicking add next to the Collection dropdown, instead of OK and Edit:

2. Verify that the "empty" collection is selected:

3. Create an empty "Authentication Required" Template, and click OK:

4. Add a single space to the index template:

The only other workarounds would be to disable authentication or enable Kerberos authentication. Here is a link to the guide on setting up Kerberos:

Older KB: Please check out the KB listed below about what kind of memory is supported in our B model appliances (4000B, 4500B, 5000B, 5500B). The KB includes specific memory modules which can be purchased.

This is Greg Blaum with the Microsoft Patch Tuesday newsletter for November 2015.

Welcome to the November Patch Tuesday update. This month Microsoft released a total of twelve (12) new security bulletins. For this month, four (4) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow code to execute without any user interaction. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other eight (8) are rated Important.

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

Here is the standard cumulative Internet Explorer Security Update. This Internet Explorer update addresses 25 vulnerabilities in multiple versions of Internet Explorer. The vulnerabilities in this update affect Internet Explorer 7 through Internet Explorer 11 on all currently supported versions of Windows. Because of the wide version numbers of Internet Explorer that have these vulnerabilities, this affects a very large installed base of Internet Explorer users. Let’s take a closer look at the vulnerabilities covered by this patch:

Twenty-three (23) of these vulnerabilities are Remote Code Execution vulnerabilities. An attacker could leverage any of these vulnerabilities to corrupt memory, gain the same rights as the currently logged in user, and then execute arbitrary code.

One (1) of these vulnerabilities is an Information Disclosure vulnerabilities. If exploited, an attacker could potentially read data that was not intended to be disclosed.

One (1) of these vulnerabilities is a Security Feature Bypass vulnerability. It bypasses the Address Space Layout Randomization (ASLR) feature in the Microsoft Browser.

As in the past with the Internet Explorer vulnerabilities, attackers have to convince users with affected versions of Internet Explorer to view specially crafted content that exploits these vulnerabilities. The content could be on a compromised website or a forum/blog site that allows users to post their own content. Users could be convinced to visit one of these sites by clicking on a link in an Internet search results screen, an email message, or opening an infected attachment. Having good email hygiene with anti-spam and anti-phishing techniques (such as McAfee Email Protection) in place will help mitigate the potential for users to stray to an affected website. Since we expect some of the known-bad sites on the Internet to be harbors for this type of attack, having good web browsing habits and using tools such as McAfee SiteAdvisor, McAfee SiteAdvisor Enterprise and McAfee Web Protection can also help.

MS15-113 (CVE-2015-6064, 6073, 6078, & 6088)

This cumulative security update affects only the Microsoft Edge browser on Windows 10. Three (3) of these vulnerabilities are Remote Code Execution vulnerabilities and the other one (1) is a Security Feature Bypass Vulnerability.

MS15-114 (CVE-2015-6097)

This security updates resolves a single Remote Code Execution vulnerability in the Windows Journal. It only occurs if a user is convinced to open a specially crafted Journal file. This vulnerability came through coordinated vulnerability disclosure.

MS15-115 (CVE-2015-6100 to 6104, 6109, & 6113)

This bulletin addresses a potpourri of different vulnerabilities in the Windows Kernel. Here we see Memory Elevation of Privilege vulnerabilities, Information Disclosure vulnerabilities, Remote Code Execution vulnerabilities, and a Security Feature Bypass vulnerability. It is for all currently supported versions of the desktop and server flavors of Windows.

This bulletin addresses a single Elevation of Privilege vulnerability in Microsoft Windows NDIS. It could allow elevation of privilege if an attacker is able to log on to the system and run a specially crafted application. This update resolves the issue by addressing how NDIS validates buffer length.

MS15-118 (CVE-2015-6096, 6099, & 6115)

This security update addresses an Information Disclosure vulnerability, an Elevation of Privilege vulnerability, and a Security Feature Bypass vulnerability in multiple versions of the .NET Framework. Since it is possible to have multiple versions of the .NET Framework installed on any given system, users may be required to install multiple software update packages, but they all address the three (3) vulnerabilities in this bulletin.

MS15-119 (CVE-2015-2478)

Similarly to MS15-117, this addresses an Elevation of Privilege vulnerability in Winsock. Like that vulnerability, it could allow elevation of privilege is an attacker is able to log on to the system and run a specially crafted application. This one is addresses by preventing Winsock from accessing invalid memory addresses.

MS15-120 (CVE-2015-6111)

It seems like this is the month for vulnerabilities in the networking components, because here’s one in IPSec that resolves a Denial of Service vulnerability. Each one of these network component updates address a single vulnerability.

MS15-121 (CVE-2015-6112)

This bulletin addresses a Spoofing vulnerability in the Schannel component. In order to be exploited, an attacker needs to perform a man-in-the-middle (MiTM) attack between a client and a legitimate server. It is present in all supported releases of Windows, with the exception of Windows 10. So that’s good news for adopters of Windows 10.

MS15-122 (CVE-2015-6095)

Here we have a Security Feature Bypass vulnerability in Kerberos. While this one is only marked as Important, I’d advise patching it quickly because an attacker could bypass Kerberos and decrypt drives that are protected by BitLocker. However, this can only be accomplished if the affected system has BitLocker enabled without a PIN or USB key, it is domain-joined, or if the attacker has full physical access to the target computer.

MS15-123 (CVE-2015-6061)

Finally, this bulletin covers an Information Disclosure vulnerability in Skype for Business 2016, Lync 2013, Lync 2010, and the Lync Room system. It overlaps somewhat with MS15-116 because of shared components in the affected software.

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

You can also review the Microsoft Summary for November 2015 at the Microsoft site.

This month will be my last Patch Tuesday newsletter. I’m handing this over to another engineer that will be taking it over starting in December. I’d like to thank everyone for reading the Patch Tuesday newsletter, and for all the great suggestions!

Wireshark is a packet analyzer that can help you analyze network problems and detect network intrusion attempts and network misuse. It can be downloaded free on Wireshark’s website.

When there is an issue with Web Defense, our engineering team may request a packet capture to use in troubleshooting. If you want to troubleshoot issues such as a slow network or application, looking at HTTP traffic is simple. Wireshark allows you set up a capture filter that looks at TCP traffic on a particular port such as 80 or for SSL, 443. Try " tcp port 80 and host xxx.xxx.xxx.xxx" as a filter to only capture packets on port 80 on a particular host.

You can use a display filter to further reduce the results to see errors and transactions for http only. Try the display filter “http” or to find a specific error code you could try “http.response.code==503” for service unavailable errors or “http.response.code==404” for page not found errors.

Packet captures can also be beneficial in troubleshooting issues with spam generating from your network. Again, Wireshark cannot capture only SMTP traffic, but a capture filter can be set up to capture TCP traffic only from a particular port such as 25. You should be able to determine which host, externally or internally is generating unusual amounts of traffic using these results.

You can also further filter the results by FROM or RCPT to attempt to narrow down a sender or recipient. Try the filter “smtp.req.parameter contains “from”” to see sending addresses.

If you’re ready to get started with Wireshark, check out the Wireshark Wiki, the wiki includes examples of capture and display filters as well as a wealth of sample captures to try your filters on.

This is Greg Blaum with the Microsoft Patch Tuesday newsletter for September 2015.

Welcome to the September Patch Tuesday update. This month Microsoft released a total of twelve (12) new security bulletins. For this month, five (5) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow code to execute without any user interaction. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other seven (7) are rated Important.

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see a Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

Here is the standard cumulative Internet Explorer Security Update. This Internet Explorer update addresses 17 vulnerabilities in multiple versions of Internet Explorer. The vulnerabilities in this update affect Internet Explorer 7 through Internet Explorer 11 on all currently supported versions of Windows. Because of the wide version numbers of Internet Explorer that have these vulnerabilities, this affects a very large installed base of Internet Explorer users. Let’s take a closer look at the vulnerabilities covered by this patch:

Fourteen (14) of these vulnerabilities are Internet Explorer Remote Code Execution vulnerabilities. An attacker could leverage any of these vulnerabilities to corrupt memory, gain the same rights as the currently logged in user, and then execute arbitrary code.

Two (2) of these vulnerabilities are Information Disclosure vulnerabilities. If exploited, an attacker could potentially read data that was not intended to be disclosed.

One (1) of these vulnerabilities is an Escalation of Privilege vulnerability. If exploited, this potentially allows a script to be run with elevated privileges.

As in the past with the Internet Explorer vulnerabilities, attackers have to convince users with affected versions of Internet Explorer to view specially crafted content that exploits these vulnerabilities. The content could be on a compromised website or a forum/blog site that allows users to post their own content. Users could be convinced to visit one of these sites by clicking on a link in an Internet search results screen, an email message, or opening an infected attachment. Having good email hygiene with anti-spam and anti-phishing techniques (such as McAfee Email Protection) in place will help mitigate the potential for users to stray to an affected website. Since we expect some of the known-bad sites on the Internet to be harbors for this type of attack, having good web browsing habits and using tools such as McAfee SiteAdvisor, McAfee SiteAdvisor Enterprise and McAfee Web Protection can also help.

MS15-095 (CVE-2015-2485 and 2486, 2494, and 2542)

This cumulative security update affects only the Microsoft Edge browser on Windows 10. All four (4) included vulnerabilities that are patched by this bulletin are Memory Corruption vulnerabilities that result in the potential for Remote Code Execution. Similarly to the cumulative Internet Explorer vulnerabilities in MS15-094, attackers would have to convince users with an affected version of Microsoft Edge to view specially crafted content that exploits these vulnerabilities.

MS15-096 (CVE-2015-2535)

This security updates resolves a Denial of Service vulnerability in Active Directory. In this case, an authenticated attacker could create multiple machine accounts and this could cause the Active Directory service to become non-responsive. Note that the attacker much have valid credentials in order to exploit this vulnerability.

This bulletin addresses multiple security vulnerabilities in Microsoft graphics components in Microsoft Windows, Microsoft Office, and Microsoft Lync. These are Elevation of Privilege and Remote Code Execution vulnerabilities. This update replaces updates in MS14-036, MS15-078 and MS15-080. There are multiple update packages offered for each affected software, so be sure to get all updates.

MS15-098 (CVE-2015-2513 & 2514, 2516, 2519, & 2530)

Here we have multiple Remote Code Execution vulnerabilities in the Windows Journal. They exist when a specially crafted Journal file is opened and could cause arbitrary code to be executed in the context of the current user.

MS15-099 (CVE-2015-2520 through 2523, & 2545)

This bulletin covers five (5) vulnerabilities in Microsoft Office and Microsoft SharePoint. For the Microsoft Office vulnerabilities, three (3) of them are Memory Corruption vulnerabilities where Microsoft Office software fails to properly handle objects in memory. The other vulnerability in Microsoft Office is a Remote Code Execution vulnerability when opening a corrupted graphics image file or inserting a corrupted graphics image into a Microsoft Office file. The final update in this bulletin addresses a cross-site scripting (XSS) vulnerability in Microsoft SharePoint. SharePoint fails to properly sanitize user-supplied web requests, which could result in spoofing. Note that the SharePoint update contains additional security-related changes to functionality and replaces previous SharePoint updates.

Here we have a Denial of Service vulnerability and an Elevation of Privilege vulnerability in the Microsoft .NET Framework. This update affects multiple versions of the Microsoft .NET Framework, so users may have to install multiple packages to patch the vulnerability in each version that is installed. The Elevation of Privilege vulnerability has web browsing as an attack scenario, so it is very important to get this update deployed.

MS15-102 (CVE-2015-2524, 2525, & 2528)

This update resolves a trio of Elevation of Privilege vulnerabilities in Windows Task Management. It affects current Windows client and Windows server operating systems.

MS15-103 (CVE-2015-2505, 2543, & 2544)

This bulletin addresses an Information Disclosure vulnerability and two (2) Spoofing vulnerabilities in Microsoft Exchange Server 2013. All three (3) of these vulnerabilities affect Outlook Web Access, so companies utilizing OWA should investigate and schedule the installation of this update.

MS15-104 (CVE-2015-2531, 2532, & 2536)

This security update resolves three (3) cross-site scripting (XSS) vulnerabilities in Skype for Business Server and Microsoft Lync Server. Two (2) of these are Information Disclosure vulnerabilities and the other one is an Elevation of Privilege vulnerability. These only affect the server versions of Skype for Business and Microsoft Lync.

MS15-105 (CVE-2015-2534)

Finally, here we’ve got a Security Feature Bypass vulnerability in Windows Hyper-V. It exists when Windows Hyper-V access control list (ACL) configuration settings are not applied correctly. An attacker can run a specially crafted application that could cause Hyper-V to allow unintended network traffic..

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

As an adjunct to our monthly Patch Tuesday updates, Microsoft released an out-of-band patch on August 18th. They only release out-of-band patches for the most critical security bugs, so this one is very important.

This is Greg Blaum with the Microsoft Patch Tuesday newsletter for August 2015.

Welcome to the first Patch Tuesday update after the release of Windows 10 by Microsoft Corporation. This month Microsoft released a total of fourteen (14) new security bulletins. For this month, four (4) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow code to execute without any user interaction. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other ten (10) are rated Important.

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see a Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

Here is the standard cumulative Internet Explorer Security Update. This Internet Explorer update addresses 13 vulnerabilities in multiple versions of Internet Explorer. The vulnerabilities in this update affect Internet Explorer 6 through Internet Explorer 11 on all currently supported versions of Windows. Because of the wide version numbers of Internet Explorer that have these vulnerabilities, this affects a very large installed base of Internet Explorer users. Let’s take a closer look at the vulnerabilities covered by this patch:

Ten (10) of these vulnerabilities are Internet Explorer Remote Code Execution vulnerabilities. An attacker could leverage any of these vulnerabilities to corrupt memory, gain the same rights as the currently logged in user, and then execute arbitrary code.

Two (2) of these vulnerabilities are Security Feature Bypass vulnerabilities. Both of them bypass the Address Space Layout Randomization (ASLR) feature.

One (1) of these vulnerabilities is an Information Disclosure vulnerabilities. If exploited, an attacker could potentially read data that was not intended to be disclosed.

As in the past with the Internet Explorer vulnerabilities, attackers have to convince users with affected versions of Internet Explorer to view specially crafted content that exploits these vulnerabilities. The content could be on a compromised website or a forum/blog site that allows users to post their own content. Users could be convinced to visit one of these sites by clicking on a link in an Internet search results screen, an email message, or opening an infected attachment. Having good email hygiene with anti-spam and anti-phishing techniques (such as McAfee Email Protection) in place will help mitigate the potential for users to stray to an affected website. Since we expect some of the known-bad sites on the Internet to be harbors for this type of attack, having good web browsing habits and using tools such as McAfee SiteAdvisor, McAfee SiteAdvisor Enterprise and McAfee Web Protection can also help.

For this security update, there are multiple vulnerabilities that exist in Microsoft graphics component that is shared amongst multiple applications. It resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Microsoft Lync, and Microsoft Silverlight. Users will be offered multiple update packages based on what products are installed on their machines.

This bulletin addresses two (2) vulnerabilities in the Remote Desktop Protocol (RDP). It affects multiple versions of Windows, including client and server versions. Please check the bulletin for specifics on the versions affected. Get these updates deployed to hosts with RDP enabled.

The first vulnerability is a failure of the Remote Desktop Session Host (RDSH) to properly validate certificates during authentication. If successfully exploited, an attacker could impersonate the RDP client session. The second vulnerability is a result of the Microsoft Windows Remote Desktop Protocol client improperly handling the loading of certain specially crafted DLL files. A successful exploitation of this vulnerability would result in the attacker being able to take complete control of an affected system.

This security update addresses three (3) Information Disclosure vulnerabilities in XML Core Services. Some versions of the XML Core Services are provided as part of Microsoft Windows, other versions ship with additional software such as Microsoft Office.

This security update resolves an Elevation of Privilege vulnerability in the Mount Manager component of Microsoft Windows. It is a result of the Mount Manager improperly processing symbolic links when a USB device is inserted into a target system.

MS15-086 (CVE-2015-2420)

Here we have an Elevation of Privilege vulnerability in Microsoft System Center Operations Manager 2012 and 2012 R2. It is a result of improper validation of input and could allow an attacker to inject a client-side script into the user’s browser. Primary risk profile for this vulnerability are users who are authorized to access the System Center Operations Manager web consoles.

MS15-087 (CVE-2015-2475)

This update resolves an Elevation of Privilege vulnerability in the Universal Description, Discovery, and Integration (UDDI) Services. It affects Windows Server 2008 (including the Server Core installation) and multiple versions of BizTalk Server.

MS15-088 (CVE-2015-2423)

Here we have an Information Disclosure vulnerability in Microsoft Windows, Internet Explorer, and Microsoft Office. To be exploited, it has to be combined with another vulnerability in Internet Explorer. When exploited, an attacker could then use this unsafe command line parameter passing vulnerability to execute Notepad, Visio, PowerPoint, Excel, or Word and have Information Disclosure. This vulnerability *has* been publicly disclosed.

MS15-089 (CVE-2015-2476)

This is a single Information Disclosure vulnerability in the Microsoft Web Distributed Authoring and Versioning (WebDAV) client. Similar to other vulnerabilities we’ve seen, it is a result of the use of SSL 2.0 and is resolved by defaulting to a more secure protocol than SSL 2.0.

MS15-090 (CVE-2015-2428 through 2430)

Here we’ve got a trio of Elevation of Privilege vulnerabilities in Microsoft Windows. They exist in the following components: Windows Object Manager, Windows Registry, and Windows Filesystem. They are present in client and server versions of Microsoft Windows.

MS15-091 (CVE-2015-2441 & 2442, 2446, and 2449)

This is our first Windows 10-only security vulnerability update. It resolves four (4) separate vulnerabilities in Microsoft Edge, the new web browser client that is built-in to Windows 10. Three (3) of the vulnerabilities are Remote Code Execution Memory Corruption vulnerabilities and the other one is an Address Space Layout Randomization (ASLR) Security Feature Bypass vulnerability. Get this deployed to those new Windows 10 systems.

MS15-092 (CVE-2015-2479 through 2481)

Finally, this bulletin addresses three (3) Elevation of Privilege vulnerabilities in the Microsoft .NET Framework. It affects the Microsoft .NET Framework 4.6 on all supported versions of Microsoft Windows, except the Itanium editions.

Bonus Vulnerability Coverage: Although not technically listed as a Microsoft Security Bulletin (listed as a Security Advisory), Microsoft updated Microsoft Security Advisory 2755801 on August 11th to address new vulnerabilities in the Adobe Flash Player. This only addresses the integrated Adobe Flash Player that was released as part of Internet Explorer 10, Internet Explorer 11, and Microsoft Edge. Other versions of the Adobe Flash Player should be updated via the Adobe website. The Microsoft operating systems affected are Windows 8 & 8.1, Windows RT & RT 8.1, Windows Server 2012 & 2012 R2, and Windows 10. Because Adobe Flash content is so prevalent on the Internet and the vulnerabilities could potentially allow an attacker to take control of the affected system, this should also be considered a Critical update. Details are also available in Adobe Security bulletin APSB15-19. McAfee Labs Security Advisories for these vulnerabilities will be published on the McAfee Labs Security Advisories Community site.

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

Well, Windows 10 has been released by Microsoft Corporation. I know many people have already upgraded to it from Windows 7, Windows 8, and Windows 8.1. I’ve already taken the plunge on several of my machines and plan to update the rest very shortly. I’ve been running different preview builds of it for some time as part of the Windows Insider program. Many of Intel Security’s customers have been asking for updates on when our Endpoint products will have support for the RTM (final released code) build of Windows 10. I’ve done a lot of digging around and have put together a list that covers the support for Windows 10 by Intel Security products. I plan to keep the blog post updated with more information as it becomes available from our product engineering teams, so make sure you save it in your bookmarks/favorites.

A few notes on this list:

This is primarily concentrated on Business/Enterprise versions of products from Intel Security, so you won’t see products for home users here.

When possible, I’ve provided a link to an article on the Knowledge Center…the information in that article may be more up-to-date as it is updated directly by our product teams.

For customers with Gold and Platinum support, please contact your Support Representative for updates and requests for access to pre-release products for testing purposes.

MNE 3.0.1 recently released adds a policy setting to provide Administrators with the option to define a customized recovery link (URL) that is displayed on the preboot recovery screen of Windows 10 Microsoft BitLocker clients.

As an adjunct to our monthly Patch Tuesday updates, Microsoft released an out-of-band patch on July 20th. They only release out-of-band patches for the most critical security bugs, so this one is very important.

Application Control with Memory Protection against remote code execution helps in protecting against this attack.

This is Greg Blaum again with the Microsoft Patch Tuesday newsletter for July 2015.

After a light June, we’re back to a heavy July for patches; Microsoft released a total of fourteen (14) new security bulletins. For this month, four (4) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow code to execute without any user interaction. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other ten (10) are rated Important.

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see a Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

We don’t often see security bulletins for Microsoft SQL Server. This one is a remote code execution vulnerability exists if an authenticated attacker runs a specially crafted query. Note that the attacker has to already be authenticated and have permissions to create or modify a database. It affects multiple versions of SQL Server, so be sure to check the bulletin for details. Given the widespread use of Microsoft SQL Server and the potential gold-mine of information that may be present in databases, db admins should patch their SQL Servers as soon as they can.

Here is the standard cumulative Internet Explorer Security Update. This is another big Internet Explorer update, addressing 29 vulnerabilities in multiple versions of Internet Explorer. The vulnerabilities in this update affect Internet Explorer 6 through Internet Explorer 11 on all currently supported versions of Windows. Because of the wide version numbers of Internet Explorer that have these vulnerabilities, this affects a very large installed base of Internet Explorer users. Let’s take a closer look at the vulnerabilities covered by this patch:

Twenty-one (21) of these vulnerabilities are Internet Explorer Remote Code Execution vulnerabilities. An attacker could leverage any of these vulnerabilities to corrupt memory, gain the same rights as the currently logged in user, and then execute arbitrary code.

Five (5) of these vulnerabilities are Information Disclosure vulnerabilities. If exploited, an attacker could potentially read data that was not intended to be disclosed.

Two (2) of these vulnerabilities are Security Feature Bypass vulnerabilities. One of them bypasses the Address Space Layout Randomization feature and the other bypasses the XSS filter.

One (1) of these vulnerabilities is an Elevation of Privilege vulnerability. On its own, this vulnerability would not allow arbitrary code execution. It would need to be combined with an unprotected remote code execution vulnerability in order for an attacker to be able to execute arbitrary code.

As in the past with the Internet Explorer vulnerabilities, attackers have to convince users with affected versions of Internet Explorer to view specially crafted content that exploits these vulnerabilities. The content could be on a compromised website or a forum/blog site that allows users to post their own content. Users could be convinced to visit one of these sites by clicking on a link in an Internet search results screen, an email message, or opening an infected attachment. Having good email hygiene with anti-spam and anti-phishing techniques (such as McAfee Email Protection) in place will help mitigate the potential for users to stray to an affected website. Since we expect some of the known-bad sites on the Internet to be harbors for this type of attack, having good web browsing habits and using tools such as McAfee SiteAdvisor, McAfee SiteAdvisor Enterprise and McAfee Web Protection can also help.

MS15-066 (CVE-2015-2372)

This security update resolves a Remote Code Execution vulnerability in the VBScript Scripting Engine. It could be triggered if a user visits a specially crafted website, giving the attacker the same user rights as the current user. Note that this is for VBScript on Windows Server 2003, Windows Vista, Windows Server 2008, and Windows Server 2008 Server Core with Internet Explorer 7 or earlier or without Internet Explorer. Anything running Internet Explorer 8 or later will get the fix with the MS15-065 update.

MS15-067 (CVE-2015-2373)

This bulletin addresses a Remote Code Execution vulnerability in the Remote Desktop Protocol (RDP). It affects Windows 7, Windows 8, Windows Server 2012, and Windows Server 2012 Server Core. While the most likely outcome would be a Denial of Service (DOS) attack on the remote desktop, it is possible that remote code execution may occur. VDI environments may be a target for this attack, so administrators should patch their VDI setups with this fix.

MS15-068 (CVE-2015-2361 and 2362)

Here we have a pair of Remote Code Execution vulnerabilities in Windows Hyper-V. For either of these to be exploited, an attacker would need to be authenticated and privileged on a guest virtual machine and then execute a specially crafted application. It would then allow remote code execution within the host context. If you’re using Windows Hyper-V, it is advised to get this patch deployed as soon as possible.

MS15-069 (CVE-2015-2368 and 2369)

This security update addresses two (2) Remote Code Execution vulnerabilities in Microsoft Windows. They both exist regarding the loading of specially crafted dynamic link library (DLL) files and could result in an attacker taking complete control of an affected system. They affect a wide range of client and server Windows operating systems.

MS15-070 (CVE-2015-2375 through 2380, 2015-2415, and 2015-2424)

This security update resolves multiple vulnerabilities in Microsoft Office. Six (6) of these are memory corruption vulnerabilities, one (1) is an Address Space Layout Randomization vulnerability, and the other one (1) is a Remote Code Execution vulnerability. These affect a wide range of Office products, from 2007 through 2013 (including 2013 RT versions), one product on Mac, Viewers, and Excel Services on three (3) different versions of SharePoint. Lots of updates to be applied here, but it is highly advised to get them deployed.

MS15-071 (CVE-2015-2374)

Here we have an Elevation of Privilege vulnerability in Microsoft Windows. It exists in Netlogon and could allow an attacker to get elevated domain credentials by running a specially crafted application that establishes a secure channel to a Primary Domain Controller (PDC) as a Backup Domain Controller (BDC). Therefore, this affects domain controllers…so get those critical infrastructure servers updated.

MS15-072 (CVE-2015-2364)

A vulnerability in a graphics component in Microsoft Windows could potentially allow Elevation of Privilege if the component doesn’t properly process bitmap conversions. The attacker does need to be authenticated in order to exploit this one. It affects client and server versions of Microsoft Windows.

MS15-073 (CVE-2015-2363, 2015-2365 through 2367, 2015-2381 and 2382)

Here we see several three (3) Elevation of Privilege vulnerabilities and three (3) Information Disclosure vulnerabilities in Windows Kernel-Mode drivers. The Elevation of Privilege vulnerabilities are a result of the way the kernel-mode drivers handle objects in memory. The Information Disclosure vulnerabilities could potentially allow the disclosure of kernel memory contents, addresses, or other sensitive kernel information that could potentially be used to attack the system in the future. While these aren’t the more serious Remote Code Execution vulnerabilities, they could lead to future attacks on systems, so it is best to close these holes quickly.

MS15-074 (CVE-2015-2371)

This is a single Elevation of Privilege vulnerability in the Windows Installer service and how it runs custom action scripts. This is a more complex attack vector with a lot of moving parts to exploit this vulnerability. It affects a wide range of client and server Windows operating systems.

MS15-075 (CVE-2015-2416 and 2417)

Here we’ve got a pair of Elevation of Privilege vulnerabilities in Microsoft Windows OLE. They could be combined with another vulnerability to allow arbitrary code to run, but by themselves they don’t allow for remote code execution.

MS15-076 (CVE-2015-2370)

This is a vulnerability in Windows Remote Procedure Call (RPC) authentication. An attacker that is already logged on to the system has to execute a crafted application that would then exploit this vulnerability which allows DCE/RPC connection reflection.

MS15-077 (CVE-2015-2387)

Finally, this bulletin addresses an Elevation of Privilege vulnerability in the Adobe Type Manager (ATM) Font Driver. The attacker would need to already be logged on to the system and then execute a specially crafted application in order to exploit this vulnerability.

Bonus Vulnerability Coverage: Although not technically listed as a Microsoft Security Bulletin (listed as a Security Advisory), Microsoft updated Microsoft Security Advisory 2755801 on July 8th to address new vulnerabilities in the Adobe Flash Player. This only addresses the integrated Adobe Flash Player that was released as part of Internet Explorer 10 and Internet Explorer 11. Other versions of the Adobe Flash Player should be updated via the Adobe website. The Microsoft operating systems affected are Windows 8 & 8.1, Windows RT & RT 8.1, and Windows Server 2012 & 2012 R2. Because Adobe Flash content is so prevalent on the Internet and the vulnerabilities could potentially allow an attacker to take control of the affected system, this should also be considered a Critical update. Details are also available in Adobe Security bulletin APSB15-16. McAfee Labs Security Advisories for these vulnerabilities is published in MTIS15-104.

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

Windows 10 Technical Preview and Windows Server Technical Preview: Many users may be testing both the Windows 10 Technical Preview and Windows Server Technical Preview. It is important to note that many of the vulnerabilities this month affect these early preview releases of Microsoft operating systems. Users that are testing these preview releases are encouraged to apply appropriate updates to their systems by visiting Microsoft Windows Update.

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

This blog is only an introduction-level for this topic but even as an introduction I think there is much you might want to digest. More detailed write-ups of this functionality may be seen in future.

TLDR Version

Access Protection is being replaced by new tech, called Arbitrary Access Control (AAC), which is introduced through our core driver technology SYSCore version 15.3.0 and later.

Over time, more Intel Security products will release with this technology included and they'll use it to protect their own files, registry, etc.

Products that are new to this regime of protecting their files/folders and registry etc, may not have the same scope of functionality available that you're used to seeing with VirusScan Enterprise such as notification events.

Background

Access Protection, as described in an earlier blog, is rudimentary in its purpose and design; it's super effective but with limitations. Well, those limitations are mostly imposed upon you, as in, we opted to _not_ expose its full potential to customers. And considering how some people have used what we did expose, and still manage to shoot themselves in the foot - figuratively turning their machines into bricks - it's no wonder we are cautious about unleashing this technology in all its glory. Maybe we could provide full capability to everyone but have it remain locked until the Admin takes and passes an Access Protection Driver's License Exam , or complete a mini-game that unlocks the "Behavior Blocking Badass" achievement. Hah. I kid, but I still think something like that is appropriate.

A companion concern that has to be assessed by us when entertaining the notion of exposing AP's full potential to customers is the Support cost associated with it, and today, I'm skeptical we have the infrastructure needed (or perhaps even the expertise at this time) to support the needs such exposure could generate. I'd feel better about it if, and perhaps only if, we incorporated the driver license idea or similar because that would ensure a level of proficiency on the Admin's part (I seriously doubt any Product Manager would suppose that a good idea; just let me chuckle to myself about it some more!)

Under-the-hood, we do take advantage of Access Protection's potential as needed. Some of our default AP rules are quite complex in their definition. And I think most everyone who has sought to use this feature has experienced the front-end limitations we've imposed, where only processes can be set as things to include or exclude, along with a singular "thing to protect". Under-the-hood we have rules defined to protect multiple objects; processes, files, folders, registry keys, ports etc, all in a single rule, and each object can be defined as having its own type of restriction (create, read, write, delete etc).

None of the above protection is possible unless VirusScan Enterprise is installed. Access Protection is a VSE feature. SiteAdvisor 3.5 has a hardening option, but said hardening is only possible if VSE is installed because they leverage Access Protection, laying down a set of rules of their own for AP to enforce. The same is true of the DAT Reputation functionality, now inherent for consumers of our AVV*.DAT files, and there are others who piggyback also.

A problem we wanted to solve was to provide this type of protection for Intel Security products and to not have this dependency upon VSE. This was easily solved in concept. The technology VSE used to provide Access Protection functionality is and has always been a separate component of the product. We simply needed alternate means to distribute that technology into the field. It would become a common component of any/all Windows-based products, be it the Agent, Host Intrusion Prevention, VirusScan, whatever - every release would include that common technology (for installation/upgrade purposes) and the Product would simply convey to that technology what it wants protected. That common technology is called Arbitrary Access Control, or AAC - the name may change in future, who knows, but if you say AAC to someone from our side of the fence hopefully we'll know what it is you're referring to . AAC replaces Access Protection.

SYSCore 15.3.0.x (and later)

This common technology, AAC, exists in SYSCore version 15.3 and later. SYSCore is comprised of various mfe*.sys files, and mfevtps.exe (the validation trust protection service). It is the part of Intel Security software that melds with the brain of your device (kernel code). I've stated elsewhere that when this code changes in version it should be a signal to tell yourself, "We need to do some testing against this release before deploying it".

You might notice that newer software releases from Intel Security, products that in the past relied on VSE to protect their files/registry etc, are now providing their own protection coverage when only their application is installed. It's because they installed AAC and told it what to protect. That being the case, be forewarned that the risk associated with patching VSE should be viewed more generally now, since the newer SYSCore binaries could be accompanying other product releases too.

Some products that come to mind that have already begun to use SYSCore 15.3 (or later) are: McAfee Agent 5.0, TIE/DxL 1.01, VSE 8.8 Patch 5, HIPS 8.0 Patch 5, Stinger utility. And in saying that I should point out that these products may not install _all_ of SYSCore's components; they install only what they need, so it's feasible and OK to have a mixed bag of file versions for mfe*.sys files when using multiple Intel Security products. Where products do install the same SYSCore components, the highest version wins.

Another thing to add regarding SYSCore files: You cannot downgrade them; nor can we forcefully overwrite or downgrade them - to do so would result in a BSOD (worst case, continual BSODs); the brain surgery analogy comes to mind again. If any code path accesses the now missing area of code, the result is fatal. An operation could appear successful though, no instability, but it will then mess up internal reference counters that will cause future problems for you.

To be able to install an older version of these files you must remove all Intel Security products that share/use that technology, and then reinstall the desired version. Typically the notion of downgrading only comes up when a product or patch was installed that updated SYSCore, and an unexpected (serious) issue occurs - the desire is to back-pedal and try to reset the system to a known good state. This is understandable, just be mindful that for us to investigate whatever caused the outage we will need data and that might mean having to revisit the setup that failed. See my prior blog on Patching VSE for tips on preparing to adopt new code, because if you prepared well we will have something to work with.

Differences between Access Protection and AAC

As far as VirusScan is concerned, any difference should not be noticeable to you as the customer (unless of course you found a bug ), or to end users as shall be explained herewith. There are differences however...

For products that never provided their own protections before, it's absolutely a new thing that they now install SYSCore and define what objects of theirs are to be protected.

MFEAPFK.SYS, was the driver to provide Access Protection checking and enforcement but this no longer exists in 15.3, being replaced by mfeaack.sys and supporting files. If you still see mfeapfk.sys on your system when SYSCore 15.3 is installed then it means there is still a product installed that needs that older driver's functionality, something that wasn't carried over to mfeaack.sys because it wasn't the appropriate place for that code.

_

Rules are defined differently in AAC. But as I said earlier, from a customer-perspective there should be no observable difference. What happens under-the-hood though is quite different indeed.

Access Protection used a simplistic syntax for defining rules which would be interpreted on the client when the rules were being loaded. The rules would be loaded from VSCAN.BOF (where our defaults exist), and the registry (where User-defined rules are stored, as well as any edited default rules which will overwrite those from VSCAN.BOF).

AAC uses XML to describe the rules. Each rule is assigned a rule ID, and each product who creates rules is assigned an ID; allowing for a single product to have multiple rules, and for multiple products to share a single rule.

In SYSCore 15.3, since there is no longer an MFEAPFK.SYS driver that will understand Access Protection rules, the newer mfeaack.sys driver comes with a backward compatible shim. Its purpose in life is to read and understand the rule format used by Access Protection, and to convert those rules into AAC-equivalent rules. Eventually, Access Protection rules and that backward compatibility shim may be phased out entirely.

_

AAC is more powerful than Access Protection. It allows for securing more types of objects (this is only going to be leveraged internally of course) and with better control or flexibility, affording more intelligent rules to be defined. VSE probably won't be seeing any of that additional intelligence... the goal for VSE is to provide the same protection level with the newer technology. The future, however, could be quite exciting - I'm not sure what degrees of flexibility and control we're going to expose yet.

Rule matching is expensive in Access Protection. VSE suffered for performance under certain conditions, typically when processing a lot of registry I/O per second where we have various AP rules to compare all that activity against, making string comparisons. And string comparisons with wildcards may create noticeable overhead. AAC's rule matching methodology is faster, depending on the rule; it's not worse than VSE at least, so we can expect some performance gain with this greater protection even with having additional rules (i.e. products provide their own AAC rule sets to protect their own objects).

_

Troubleshooting

In the case of VSE, troubleshooting AAC issues can be done in much the same way as troubleshooting Access Protection issues -

disabling the feature

adding a process to exclude

setting a rule to Report only

disabling a specific rule(s), or even all rules but keeping the feature enabled

renaming the driver (mfeaack.sys) and rebooting; this is a brutish troubleshooting step, and should only be done with acknowledgement of it being a test only. When used as a means of progressive elimination it can be telling of the nature of an issue.

for in-depth view of the functionality, an internal tool (ETLTrace) is required, and must be version 15.3 or later. Support may request you to use this tool when investigating related issues.

A non-supported EXE is included with SYSCore 15.3 called "AACINFO.exe" which Support will use to export the in-memory AAC rules (i.e. aacinfo.exe query >aac_rules.xml). This tool cannot be used to configure AAC.

Growing Pains

Security through Obscurity has limited value, but development teams may still implement protections after that manner. Example: As stated above, this is new technology and other products (like McAfee Agent 5.0) now install and use this technology to provide their own protections - well, VSE has an Event/Alert subsystem for processing events and sending the info to ePO and recording the violation to the local Event logs but MA does not, they only have local logging functionality (at the time of this posting - see KB82881). We can expect to see some growing pains as products adapt to AAC and recognize other supporting functionality that's needed. Providing visibility into when violations occur, what was blocked and when, is a good example.

That doesn't mean you should postpone an upgrade, it just means there may be another data point to consider when you're investigating a symptom that looks Access Protection-related but troubleshooting has revealed it's clearly not VSE's Access Protection that's involved.

This is Greg Blaum again with the Microsoft Patch Tuesday newsletter for June 2015.

June is a lighter month for patches; Microsoft released a total of eight (8) new security bulletins. For this month, two (2) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow code to execute without any user interaction. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other six (6) are rated Important.

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see a Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

Here is the standard cumulative Internet Explorer Security Update. This is another big Internet Explorer update, addressing 24 vulnerabilities in multiple versions of Internet Explorer. The vulnerabilities in this update affect Internet Explorer 6 through Internet Explorer 11 on all currently supported versions of Windows. Because of the wide version numbers of Internet Explorer that have these vulnerabilities, this affects a very large installed base of Internet Explorer users. Let’s take a closer look at the vulnerabilities covered by this patch:

Twenty (20) of these vulnerabilities are Internet Explorer Remote Code Execution vulnerabilities. An attacker could leverage any of these vulnerabilities to corrupt memory, gain the same rights as the currently logged in user, and then execute arbitrary code.

Three (3) of these vulnerabilities are Elevation of Privilege vulnerabilities. On their own, these vulnerabilities would not allow arbitrary code execution. They would need to be combined with an unprotected remote code execution vulnerability in order for an attacker to be able to execute arbitrary code.

The final one (1) vulnerability in this update is an Information Disclosure vulnerability. An attacker who exploited this vulnerability could potentially get access to the Internet Explorer browser history.

As in the past with the Internet Explorer vulnerabilities, attackers have to convince users with affected versions of Internet Explorer to view specially crafted content that exploits these vulnerabilities. The content could be on a compromised website or a forum/blog site that allows users to post their own content. Users could be convinced to visit one of these sites by clicking on a link in an Internet search results screen, an email message, or opening an infected attachment. Having good email hygiene with anti-spam and anti-phishing techniques (such as McAfee Email Protection) in place will help mitigate the potential for users to stray to an affected website. Since we expect some of the known-bad sites on the Internet to be harbors for this type of attack, having good web browsing habits and using tools such as McAfee SiteAdvisor, McAfee SiteAdvisor Enterprise and McAfee Web Protection can also help.

MS15-057 (CVE-2015-1728)

This security update resolves a vulnerability in the Windows Media Player. A specially crafted media file could be created that would utilize this Remote Code Execution vulnerability. Typically you’d see these types of media files posted on a malicious site and perhaps a link to them sent to a user in an email.

MS15-059 (CVE-2015-1759, 1760, and 1770)

This bulletin addresses multiple Remote Code Execution vulnerabilities in Microsoft Office. One of these vulnerabilities is specifically in Microsoft Office Compatibility Service Pack 3. Vulnerability CVE-2015-1760 is present in both Microsoft Office 2010 Service Pack 2 and Microsoft Office 2013 Service Pack 1. The final vulnerability, CVE-2015-1770, is present in Microsoft Office 2013 Service Pack 1 and Microsoft Office 2013 RT Service Pack 1. All three (3) vulnerabilities are caused when Office improperly handles objects in memory and would be exploited by opening a specially crafted file with a vulnerable version of Microsoft Office. Note that users with more than one version of Microsoft Office installed may be prompted to install multiple updates.

MS15-060 (CVE-2015-1756)

Here we have a Remote Code Execution vulnerability in Microsoft Common Controls. It occurs when the code in the Common Controls attempts to access an object in memory that has either not been correctly initialized or has already been deleted. Interestingly, it is triggered when a user invokes the F12 Developer Tools in Internet Explorer.

MS15-061 (CVE-2015-1719 through 1727, 1768, and 2360)

This security update addresses ten (10) Elevation of Privilege vulnerabilities and one (1) Information Disclosure vulnerability in Windows Kernel-Mode Drivers. The Information Disclosure vulnerability is a result of improper handling of buffer elements, which allows an attacker to view the contents of specific memory addresses. The Elevation of Privilege vulnerabilities are a result of improperly freeing an object in memory, insufficient validation of data being passed from user mode to kernel mode, improperly validating user input, and attempting to access an object in memory that has either not been correctly initialized or has already been deleted. These vulnerabilities exist in Microsoft’s currently supported Client Operating Systems as well as Server Operating Systems.

MS15-062 (CVE-2015-1757)

This security update resolves an Elevation of Privilege vulnerability in Active Directory Federation Services (AD FS) 2.0 and 2.1. An attacker who would exploit this would be able to perform a cross-site scripting attack, resulting in the malicious script being run in the security context of the currently logged-on user.

MS15-063 (CVE-2015-1758)

Here we have an Elevation of Privilege vulnerability in Microsoft Windows. It exists in LoadLibrary, which loads a specified module (a .DLL or an .EXE) into memory. In order to exploit this vulnerability, an attacker would need to copy a malicious DLL file locally or onto a network share. Then a program would have to execute that would load the malicious DLL file. This vulnerability exists in multiple versions of Microsoft’s Client and Server Operating Systems.

MS15-064 (CVE-2015-1764, 1771, and 2359)

Finally, this bulletin addresses two (2) Information Disclosure vulnerabilities and one (1) Elevation of Privilege vulnerability in Microsoft Exchange Server 2013 Service Pack 1 and Microsoft Exchange Server 2013 Cumulative Update 8. All three (3) vulnerabilities are in Microsoft Exchange web applications. There are no workarounds for these vulnerabilities, so administrators of affected Exchange Servers should implement these fixes as soon as possible.

Bonus Vulnerability Coverage: Although not technically listed as a Microsoft Security Bulletin (listed as a Security Advisory), Microsoft updated Microsoft Security Advisory 2755801 on June 9th to address new vulnerabilities in the Adobe Flash Player. This only addresses the integrated Adobe Flash Player that was released as part of Internet Explorer 10 and Internet Explorer 11. Other versions of the Adobe Flash Player should be updated via the Adobe website. The Microsoft operating systems affected are Windows 8 & 8.1, Windows RT & RT 8.1, and Windows Server 2012 & 2012 R2. Because Adobe Flash content is so prevalent on the Internet and the vulnerabilities could potentially allow an attacker to take control of the affected system, this should also be considered a Critical update. Details are also available in Adobe Security bulletin APSB15-11. McAfee Labs Security Advisories for these vulnerabilities will be published when available on the McAfee Labs Security Advisories Community site.

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

Windows 10 Technical Preview and Windows Server Technical Preview: Many users may be testing both the Windows 10 Technical Preview and Windows Server Technical Preview. It is important to note that many of the vulnerabilities this month affect these early preview releases of Microsoft operating systems. Users that are testing these preview releases are encouraged to apply appropriate updates to their systems by visiting Microsoft Windows Update.

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

The McAfee Email Gateway appliance provides for the ability to generate clusters of appliances. A cluster may consist of two or more appliances. This article will go into a few best practices for the creation and management of MEG clusters.

Cluster Creation

When setting up a cluster of MEG appliances, determine what your performance needs are. If you are going to be handling a lot of mail, you will want more cluster members. If you are not going to be handling as much mail, but are looking for the redundancy the cluster provides, you may just want two cluster members.

When configuring a cluster for the first time, choose a cluster ID that is not the default. If you leave the default ID in place, this can result in new devices finding themselves added directly to the already existing cluster, even though you don't mean them to. Once your cluster ID is set to something other than the default, it will be necessary to reimage the appliance to change the ID. We use VRRP to do our clustering, so make sure that you note any other VRRP clusters on the same network the MEG will be on before setting this up.

Cluster members must be on the same local network in order to work. Because we make use of VRRP, if appliances are present in different physical networks and are separated by a router, the devices will be unable to talk to each-other. If they are separated by a wan link (even on the same VLAN), the devices may be unable to talk to each-other in a reasonable time, thus resulting in the boxes being unable to connect properly. We do not support configuration of appliances into clusters incorporating a WAN link.

When creating clusters of virtual machines, it is necessary to ensure that either the VMs have direct access to the network to which the host machine is attached, *OR* all the cluster members are present in the same host device. If not, cluster members may be unable to talk to each-other.

Clusters may have three types of devices in them:

1. Cluster Master - This device is the main host in the cluster. It acts as the primary traffic cop for inbound and outbound traffic, and handles all communications with the outside world. It may or may not also host a scanning device.

2. Cluster Failover - This device is the backup host in the cluster. Should the Master fail and go offline, the Failover appliance will take up the traffic cop duties until the Master comes back online. If the Master hosts a scanner, this device will also host a scanner.

3. Cluster Scanner - This is a standalone scanning device. It receives its configuration, updates, and traffic to scan from the device currently handling all traffic for the cluster.

If a cluster has five or more appliances, the Master (and by extension, the Failover) should not be scanning traffic. If a cluster has more than six devices, consider purchasing one of our MEG Blade servers instead. If a cluster has three or fewer members, the Master and Failover devices should be scanners. Clusters with exactly four members can go either way, as desired.

Cluster Administration

DO NOT use the configuration push feature built into the MEG appliances to push config from the Master to other devices in the same cluster. KB82172 has additional details about the results of doing so. Additionally, if using Configuation Push to push between clusters, push from the Master of one cluster to the Master of the other. Never do config push to other devices in the destination cluster.

When booting your cluster, make sure that the Failover appliance boots first, then the Master. Any scanners may be brought up any time after the Failover has come up. Failure to boot in this order may result in communication issues between the master and failover appliances.

When performing software updates, ALWAYS install the update on the Failover first. After updating the failover, allow it to come back online, then take down the master. Dedicated scanning devices may be updated any time after the Failover update commences. Note that if it is necessary to ensure mail flow and your master and failover devices are not scanners, it is necessary to update the failover and at least one scanner, THEN update the master and the rest of the scanners.

All cluster members must be running the same version of the software. If a device in the cluster is on a different version of the software, it may receive traffic for scanning from the Master for a short time, once its configuration gets too far out of date (since the master can no longer update it), that device will stop being used to scan traffic. Note that if the Failover appliance is the one on a different version, this may result in mailflow problems in the event of the Master becoming unavailable.

Cluster Reporting

When a cluster is properly formed, all reporting data gets passed to the Master appliance. Should the Master fail, the Failover will not have the reporting data present on the Master, as it doesn't replicate that data. Additionally, when the Master comes back online, the Failover's data will not be passed back to the master. This is due to a limitation present in the way the cluster setup is performed.

External Device Integration

When integrating Clustered MEG appliances with ePO, only the Master should be connected. The master and failover are the traffic cops for the cluster, providing logging data and accepting configuration changes. Note, however, that the way the ePO currently handles the MEG data, connecting the Failover appliance to ePO will result in some dashboard data duplication on the ePO server.

When integrating with the MQM, make sure that the master and failover are using the default device ID. Failure to do so will result in the Master's configuration being pushed to the Failover, and mail may not be quarantined properly (and thus may be unavailable for release).

For additional information, please see the following KB articles which cover some of the topics above.